Default automation stitches

The following default automation stitches are included in FortiOS:

• Compromised Host Quarantine
• Incoming Webhook Quarantine
• HA Failover
• Network Down
• Reboot
• FortiAnalyzer Connection Down
• License Expired Notification
• Security Rating Notification

To view and edit the automation stitches in the GUI, go to Security Fabric > Automation.

CLI configurations

Compromised Host Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

FortiAnalyzer Connection Down

config system automation-action

edit "FortiAnalyzer Connection Down_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "FortiAnalyzer Connection Down"

set trigger-type event-based

set event-type event-log

set logid 22902

next

end

config system automation-stitch

edit "FortiAnalyzer Connection Down"

set status enable

set trigger "FortiAnalyzer Connection Down"

set action "FortiAnalyzer Connection Down_fortiexplorer-notification"

next

end

Network Down

config system automation-action

edit "Network Down_email"

set action-type email

set email-from ''

set email-subject "Network Down"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Network Down"

set trigger-type event-based

set event-type event-log

set logid 20099

config fields

edit 1

set name "status"

set value "DOWN"

next

end

next

end

config system automation-stitch

edit "Network Down"

set status disable

set trigger "Network Down"

set action "Network Down_email"

next

end

HA Failover

config system automation-action

edit "HA Failover_email"

set action-type email

set email-from ''

set email-subject "HA Failover"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "HA Failover"

set trigger-type event-based

set event-type ha-failover

next

end

config system automation-stitch

edit "HA Failover"

set status disable

set trigger "HA Failover"

set action "HA Failover_email"

next

end

Incoming Webhook Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Incoming Webhook Call"

set trigger-type event-based

set event-type incoming-webhook

next

end

config system automation-stitch

edit "Incoming Webhook Quarantine"

set status disable

set trigger "Incoming Webhook Call"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

License Expired Notification

config system automation-action

edit "License Expired Notification_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "License Expired Notification"

set trigger-type event-based

set event-type license-near-expiry

set license-type any

next

end

config system automation-stitch

edit "License Expired Notification"

set status enable

set trigger "License Expired Notification"

set action "License Expired Notification_fortiexplorer-notification"

next

end

Reboot

config system automation-action

edit "Reboot_email"

set action-type email

set email-from ''

set email-subject "Reboot"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Reboot"

set trigger-type event-based

set event-type reboot

next

end

config system automation-stitch

edit "Reboot"

set status disable

set trigger "Reboot"

set action "Reboot_email"

next

end

Security Rating Notification

config system automation-action

edit "Security Rating Notification_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Security Rating Notification"

set trigger-type event-based

set event-type security-rating-summary

set report-type posture

next

end

config system automation-stitch

edit "Security Rating Notification"

set status enable

set trigger "Security Rating Notification"

set action "Security Rating Notification_fortiexplorer-notification"

next

end